User:JM01085758/lockdown

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a work in progress; treat its contents with caution - JM01085758 (talk | contribs).
Resources

Since kernel version 5.4,[1] support has been added for integrity and confidentiality lockdown modes. Lockdown is a Linux Security Module (LSM) which expands the traditional LSM focus on control once userspace is active to having an LSM enabled very early in the boot sequence, even before kmalloc() can request memory.[2] Integrity mode disables features that allow userspace to modify the running kernel. Confidentiality mode does the same but goes further, also preventing extraction of confidential information.[3] Enabling either will prevent the loading of unsigned kernel modules as well as unencrypted hibernation or suspend to swap.[4] By default in Gentoo, neither mode is enabled, but on EFI x86 or arm64 with other distributions, lockdown may be automatically enabled when Secure Boot is enabled.[4]

Background

The motivation for implementing this feature was "to enforce a distinction between running as root and the ability to run code in kernel mode".[5] To quote Matthew Garrett, "if you can run arbitrary code in the kernel then you can use the kernel to boot anything you want",[6] defeating the point of UEFI Secure Boot. Work on the lockdown LSM began in the early 2010s.[7]

Kernel

KERNEL menuconfig
Security options  ---> 
    [*] Basic module for enforcing kernel lockdown
    [*]   Enable lockdown LSM early in init
          Kernel default lockdown mode (Integrity)  --->

GRUB

Lockdown modes can also be enabled via GRUB: GRUB_CMDLINE_LINUX="lockdown=integrity".[3]

Impact

Enabling one of the lockdown modes will affect one's ability to modify and/or read from the following:

A more extensive list can be seen here.[4]

Vulnerabilities

Kernels prior to 5.19 contain a trivial bypass bug, CVE-2022-21505.[9][10]

CVE-2022-21499, patched in May 2022.[11]

See also

External resources

References